Listing of Claims ; 

1. (Previously Presented) A method of managing alerts issued by intrusion detection 
sensors of an information security system including an alert management system, each alert 
being defined by an alert identifier and an alert content, the method comprising: 

associating with each of the alerts issued by the intrusion detection sensors 

a description including a conjunction of valued attributes belonging to attribute 

domains; 

organizing the valued attributes belonging to each attribute domain into a 
taxonomic structure defining generalization relationships between said valued 
attributes, a plurality of attribute domains forming a plurality of taxonomic 
structures; 

completing the description of each of said alerts with sets of generalized 
valued attributes induced by the taxonomic structures based on the valued 
attributes of said alerts to form complete alerts; 

storing said complete alerts in a logic file system to enable said complete 
alerts to be consulted; and 

consulting the complete alerts by at least one of successively interrogating 
and browsing said complete alerts so that the alert management system responds 
to a request by supplying pertinent valued attributes enabling a subset of complete 
alerts to be distinguished in a set of complete alerts satisfying the request to 
enable said request to be refined, said request being a logic formula of at least one 
of said valued attributes; 



wherein each complete alert is saved in the logic file system as a file with 
a completed description of each complete alert expressed using prepositional 
logic. 

2. (Canceled) 

3. (Currently Amended) The method according to claim [[2]] 1, wherein the pertinent 
valued attributes assigned a highest priority are those that are most general, given the taxonomic 
structures. 

4. (Currently Amended) The method according to claim [[2]] I, wherein the alert 
management system further responds to the request by supplying alert identifiers satisfying the 
request and whose description cannot be refined with respect to said request. 

5. (Previously Presented) The method according to claim 1, wherein the alert identifier is 
a pair consisting of an identifier of the intrusion detection sensor that produces the alert and an 
alert serial number assigned by said intrusion detection sensor. 

6. (Previously Presented) The method according to claim 1, wherein the content of each 
alert includes a text message supplied by a corresponding intrusion detection sensor. 

7. (Previously Presented) The method according to claim 1 , wherein each valued attribute 
includes an attribute identifier and an attribute value. 



8. (Previously Presented) The method according to claim 7, wherein each attribute 
identifier is associated with one of the following attribute domains: attack domain, attacker 
identity domain, victim identity domain and attack date domain. 

9. (Previously Presented) The method according to claim 1, wherein the description of a 
given alert is completed by recovering, recursively from generalization relationships of the 
taxonomic structures, a set including more general valued attributes not already included in the 
description of another alert completed previously. 

10. (Previously Presented) The method according to claim 1, wherein the valued 
attributes in the taxonomic structure are organized in accordance with an acyclic directed graph. 

11. (Canceled) 

12. (Previously Presented) Alert management system for managing alerts issued by 
intrusion detection sensors, each alert being defined by an alert identifier and an alert content, the 
system comprising: 

processor means for associating with each of the alerts issued by the 
intrusion detection sensors a description including a conjunction of valued 
attributes belonging to attribute domains; 

processor means for organizing the valued attributes belonging to each 
attribute domain into a taxonomic structure defining generalization relationships 



between said valued attributes, a plurality of attribute domains forming a plurality 
of taxonomic structures; 

processor means for completing the description of each of said alerts with 
sets of generalized valued attributes induced by the taxonomic structures based on 
the valued attributes of said alerts to form complete alerts; 

processor means for storing said complete alerts in a logic file system to 
enable said complete alerts to be consulted; and 

processor means for consulting the complete alerts by at least one of 
successively interrogating and browsing said complete alerts so that the alert 
management system responds to a request by supplying pertinent valued attributes 
enabling a subset of complete alerts to be distinguished in a set of complete alerts 
satisfying the request to enable said request to be refined, said request being a 
logic formula of at least one of said valued attributes; 

wherein each complete alert is saved in the logic file system as a file with 
a completed description of each complete alert expressed using prepositional 
logic. 

13. (Previously Presented) Information security system comprising intrusion detection 
sensors and the alert management system according to claim 12. 



